Banging my head against a wall with user accounts :P

[smokey-chris]

Hi All

Wow I am struggling with user access. The trueNas documentation is just horrendous for newbs.

I have setup my test-rig NAS tonight with 12u2 to consider if I should migrate to TrueNas.

I have created a SSD-Pool with 3 datasets: Movies, Services, TV Shows.
I have created a Samba share to the NAS: NAS-SSD
I have created users: Chris, Jo, Services
I have created groups: Family, Friends, Services

So Chris is part of the Wheel group; Jo is part of the Family group, and Services is part of the Services Group.

I had to edit rwxrwx--- for Wheel through the Shell commands following a tutorial. I can log in as Chris via Mapped Network Drive \MyNas\NAS-SSD\
I can see Movies, Services and TV Shows.
I am able to write.

Now I have set up the movies folder with "Edit Permissions"; "Select a ACL Preset"
The Owner is Chris and the Group is wheel.
I have then setup the following ACLs:

Who: owner@
ACL Type: Allow
Permission Type: Basic
Permission: Full Control
Flags Type: Basic
Flags: Inherit

Who: Group
Group: Family
ACL Type: Allow
Permission Type: Basic
Permission: Full Read
Flags Type: Basic
Flags: Inherit

Who: Group
Group: Friends
ACL Type: Allow
Permission Type: Basic
Permission: Full Read
Flags Type: Basic
Flags: Inherit

Who: Group
Group: Services
ACL Type: Allow
Permission Type: Advanced
Permission: (everything except read/write ACL for things like PLEX altering media file names, deleting files)
Flags Type: Basic
Flags: Inherit


If I login as "Jo" and her password. It says "Access is denied". I do not have an email selected for her username and have tried both Microsoft Account tickbox ON and OFF.
Ideally I would like her to see the folders: Movies, TV Shows, Services (Prefer not but OK)
I would then like her to have read access to watch a movie.
I want the rest of the NAS to be useable to anyone without a login.


I'm at a loss what I have not done...
Can someone give me a pointer, what I am missing?

Thanks
Chris

 

[winnielinnie]

I have created a Samba share to the NAS: NAS-SSD

Couple questions.

Are you sharing the "root dataset" itself for the SMB Share? That might explain some of the permissions confusion.

Secondly, does the following forum post look familiar to your problem in regards to accessing the mapped drive (Windows PC)?

https://www.truenas.com/community/t...ferent-credentials-to-smbs-doesnt-work.90155/


Take a look at this Microsoft Docs article, particularly this part:

Status
This behavior is by design.

Workaround 1
Use the IP address of the remote server when you try to connect to the network share.

Workaround 2
Create a different Domain Name System (DNS) alias for the remote server, and then use this alias to connect to the network share.

After you use one of these methods, you can use different user credentials to connect to the network share. In this situation, the computer behaves as if it is connecting to a different server.

Unfortunately, it seems to have been by design for a good while now, even with Windows 10.

 

[smokey-chris]

In the Windows Shares (SMB) - I have purpose: default share parameters and the tickbox enabled ticked.
In the SMB shares ACL - it has:
SID: S-1-1-0
No Domain
Permission: Full
Name: Everyone
Type: Allowed

I will try the IP address method just to check its not Windows playing up.

 

[winnielinnie]

I will try the IP address method just to check its not Windows playing up.

Just to be clear, you would use the IP address for one user, say "jo", and the domain name for another user, say "chris". Or you can create different DNS aliases for your TrueNAS server, this way you can trick Windows into thinking each address is a "different" server, and thus use different credentials for each one.

In the Windows Shares (SMB) - I have purpose: default share parameters and the tickbox enabled ticked.

Was this done on the "root dataset"? The root dataset is the top-level dataset that shares the same name as the pool you created in TrueNAS. So if you made a pool named "mybigtank", then the top-level root dataset will also have the name "mybigtank". It's not advised to directly share this dataset, nor can you modify its permissions (they will be "greyed out" and protected from modification.)

 

[smokey-chris]

Yes I can see, but I think my issue is slightly different. I am logging in with Chris on the IP and Jo with the name of the server; it is still saying Access Denied

Yes the root dataset is the top level share NAS-SSD is the share of SSD-Pool-Strip

 

[winnielinnie]

Yes the root dataset is the top level share NAS-SSD is the share of SSD-Pool-Strip

Can you test this out again, but don't use the top-level root dataset? Since this is only a "test machine" and there's no real data to preserve, you can make a dataset under SSD-Pool-Strip named zdataroot, and then under zdataroot, you can create Movies, Services, and TV. Then you modify the permissions, create an ACL, and point the SMB Share to zdataroot (instead of SSD-Pool-Strip).

I suggest naming datasets without any symbols or "spaces".

 

[smokey-chris]

Thank you

That worked :)

Setup with READ for Group Family and Full Control for User Chris
That was done on MainDataSet with transverse to all child datasets.
Works a treat.

I'm off to bed, but winnielinnie - big thanks, my education rocketed tonight. With shares, querks of Windows, users and sharing. No special characters either.

Sorry I missed the zdataroot but next time I set the real thing up, I'll use that.

 

[winnielinnie]

So glad to hear!

Keep playing with your test rig in the meantime if there's no rush. It's better to try different ideas, make mistakes, and break things in a test environment before you fully commit to creating your actual datasets and filling them up for real daily usage.

Side note: While using particular names is not a hard rule per se, it's recommended avoid using "spaces" in your dataset names. I noticed TV Shows has a space in it. TVShows, TvShows, TV_Shows, TV-Shows, tvshows, etc, are possible alternatives.

Another side note: If you plan to use native ZFS encryption, it's a good habit to get into using "boring" or "inconspicuous" names for your datasets and snapshots, since those names will be available to anyone, even when the dataset is "locked" or the system is powered off.